Tips on testifying in a computer crimes case

As an IT professional and working network administrator, you may find yourself called upon to testify as a victim or a witness (i.e., a representative of a company whose network is victimized) in a computer-related crime.

Another possibility is that you might someday want to use your technical expertise to become a professional expert witness in computer-related cases. In this article, we examine the basics of testifying in either capacity in a case involving computer crimes, and how you can move into the lucrative field of computer forensics, on either a full- or part-time basis.

Note: The discussion in this article is based on the U.S. legal system. The process of testifying is similar in most jurisdictions, but different rules and procedures may apply in other countries.

Understanding computer crime concepts

As the incidence of intrusions, attacks and release of malicious code (viruses, worms, Trojan horses, etc.) has grown and the real cost to businesses of dealing with these attacks has become more evident, prosecution of computer crime has become more common despite the difficulties involved in identifying and proving the case against an offender, who most often does his dirty work from a remote location.

Before testifying in court, it's important to understand basic legal concepts surrounding network attacks and intrusions. In the U.S. (and many other countries), a case can be brought against attackers and intruders under either criminal or civil law. A civil case, called a tort, is a lawsuit brought by a private citizen (or a corporation, which is an entity under law) against another person or legal entity, seeking some sort of relief (usually this is money, but sometimes it's in the form of an injunction, which is a court order compelling the other person to do or not do something).

A criminal case is an action brought by the government (local, state or federal) on the behalf of society, and seeks to punish the offender. The punishment can be in the form of a fine, jail or imprisonment, or even (in capital cases, which generally only apply to the offense of murder with special circumstances) the death penalty.

The civil and criminal justice systems are completely separate. The same act can be both a crime and a tort, and a hacker could be sued in civil court and prosecuted in criminal court for the same act (the prohibition on double jeopardy applies only to criminal cases). In both civil and criminal cases, rules of evidence apply. These rules are not the same for both types of cases, however.

For example, the burden of proof is much higher in a criminal case. To win a civil case, the person bringing the suit (the plaintiff) is required to prove only his case by a preponderance of the evidence. That is, there must be more evidence supporting the allegation than there is against it. In a criminal case, the state must prove its case beyond a reasonable doubt, which means it is almost a certainty that the offender committed the crime.

In addition, crimes are prosecuted under different jurisdictions. An act may be a violation of local, state or federal law -- or all three. A person can be prosecuted and acquitted by the state and then prosecuted again under federal law for the same act; this does not constitute double jeopardy, either.

Regardless of what type of case you're testifying in, you are required to take an oath promising to tell the truth, and lying on the witness stand is a criminal offense itself, even if the case in which you're testifying is a civil case.

Testifying as a witness or victim

Attorneys present cases in court by introducing evidence. There are two basic types of evidence:

  • Physical evidence: Things that support the attorney's argument. This could be the "smoking gun," a photograph, or in the case of computer crimes, a firewall log or a computer hard disk holding data.
  • Direct evidence: Testimony of a person who has direct (firsthand) knowledge of what happened. Hearsay evidence (secondhand testimony from someone who was told something by a person who had direct knowledge) is generally not admissable except in special cases such as dying declarations, in which the person with the firsthand knowledge told the witness the information before dying.

Note that physical evidence must always be accompanied by direct evidence. That is, when a physical object is introduced as evidence, someone must testify as to its relevance to the case. As a network administrator or IT worker, you might be asked to testify that the firewall log introduced into evidence is the one you printed out immediately following an intrusion or attack.

Note: There is a third type of evidence, intangible evidence, which refers to something that cannot be seen or touched.

When you testify as a witness or a victim, it's important that your knowledge be firsthand -- not something you heard from someone else. If it's a jury trial, speak to the jury, not just to the attorney posing the question. If you don't understand the question, ask for clarification. If you don't know the answer to a question, say so. Don't just make something up.

Remember that jury members (and the judge, for that matter) are probably not technology experts. Make sure your answers are clear and simple enough for nontechies to understand. Avoid jargon and acronyms, even the ones that seem obvious to you (the average juror doesn't know what DNS is, and may not even know what DSL is). Don't "talk down" to the jury.

The opposing attorney may try to shake you up, make you contradict yourself or cast doubt on your testimony. That's his job. Don't take it personally. Even if the attorney shouts at you or derides you, just calmly answer the questions. Remain professional at all times. Not only does this lend more credibility to your testimony, but if you get angry and say things that are inappropriate, you could be found in contempt of court and fined or even jailed.

If no question has been asked, for example the attorney simply makes a statement, especially a provocative one such as "I don't think you really know how to read a firewall log," say nothing. Wait for a question. When being questioned by the opposing attorney (in most cases, that'll be the defense attorney), answer only the question that's asked, and no more. Don't volunteer anything. Don't try to explain things. Stick to the facts. If you think a question is improper, pause long enough to give the prosecutor time to object.

If you are testifying as a witness or a victim, you should meet with the prosecutor or a member of the prosecution team prior to giving your testimony. They should not tell you what to say, but they can give you advice on how to say it. If your testimony is used to introduce physical evidence, be sure you know exactly when the evidence left your hands and to whom it was given. This is important in establishing the chain of custody, which is a record of where the evidence was and who had control of it, from the time it was collected until the time it is presented in court.

Remember that when testifying as a witness or a victim, you can give only facts, not opinion.

Testifying as an expert witness

When testifying as an expert witness, your opinion is what it's all about. An expert witness doesn't have personal knowledge of the offense, but testifies based on his expertise in the subject matter about the facts given by other witnesses and provided by the physical evidence.

If you are testifying as an expert witness, you are actually working for one side or the other. Expert witnesses are hired by either the prosecution or the defense, and are usually paid (often quite well) for their testimony at a per-diem rate. There are many professional expert witnesses who provide testimony in many different cases (and for both prosecution and defense, although not for both sides in the same case).

The most important aspect of testifying as an expert witness is establishing your credentials. The court must accept your qualifications as an expert in order for you to be allowed to testify. The attorney on whose side you're called as an expert will ask you a series of questions designed to show your qualifications as an expert. You might be asked about your formal education in computer science, how many years you've worked in the tech business, specifics about your experience in the technical area the case involves (for example, encryption), books and articles you've published, awards you've received, courses you've taught, and so forth.

The opposing attorney will usually attempt to attack your credentials to get your testimony excluded or to cast doubt on its credibility if it is admitted.

The job of the expert witness is also to help simplify highly technical material so that nontechnical people (judge and jury) can understand it and make decisions based on it.

There are books and training courses available for those who want to be expert witnesses in the computer crimes area. New Technologies Inc. (NTI), which makes computer forensics software, offers training in presenting expert testimony on electronic evidence. Books, such as Expert Witness Handbook by Dan Poynter offer tips on becoming a successful expert witness.

Some experts don't take the stand and testify, but instead act as consultants to the attorneys on the case. To get hired as an expert witness or consultant, you need to establish a reputation in the field of expertise and then make known your interest in participating in the judicial process. There are a number of services that locate expert witnesses for attorneys, such as IMS ExpertServices and Inc. ). You can register as an expert with these services for a fee.


More and more laws are being passed that pertain to computers and networks. As an IT professional, you may at some time in your career find yourself called upon to testify in court, either in relation to a criminal offense or civil action involving your own organization's computers or to give your expert opinion in a case in which you have no personal involvement.

The most important thing to remember, in both cases, is to be sure you know your stuff inside and out. The judicial process is an adversarial one, which means there are attorneys on both sides attempting to build their own case and tear down the opposition's case. As a witness, you are called by and seen as part of one side or the other, and you must be prepared for questions from the opposing side that will challenge your testimony and perhaps attempt to cast doubt about your honesty, integrity and expertise.

Your testimony as a victim or eye witness could be instrumental in bringing a computer criminal to justice or recovering damages for your organization. Your testimony as an expert witness could be the deciding factor in a criminal or civil trial and could also result in a lucrative career for you.

Debra LittleJohn Shinder (MCSE) is a technology consultant, trainer and writer who has written a number of books on networking, including Computer Networking Essentials, published by Cisco Press and Scene of the Cybercrime, published by Syngress Media. She is co-author, with her husband Dr. Thomas Shinder, of Troubleshooting Windows 2000 TCP/IPand Configuring ISA Server 2000 and ISA Server and Beyond. She edited Syngress's Security + Study Guide and was a major contributor to Que's TruSecure ICSA Certified Security Associate exam guide. Shinder lives in the Dallas-Forth Worth area and can be reached at or via the Web site at

Copyright © 2005 IDG Communications, Inc.

Bing’s AI chatbot came to work for me. I had to fire it.
Shop Tech Products at Amazon